zlib

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.

AI Analysis

Global buffer overflow in the untgz utility of zlib, allowing for potential code execution and denial of service

Basic Information

ID CVE-2026-22184

Source VulnCheck

Published Jan 7, 2026 at 20:25

Modified Jan 7, 2026 at 21:18

Affected Product

Vendor zlib software

Product zlib

Affected Versions zlib software zlib 0

CWE Classification

CWE-120

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Jean-loup Gailly and Mark Adler

Product zlib

Version 1.3.1.2 and earlier

References

{
    "lastseen": "",
    "description": "zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.",
    "published": "2026-01-07T20:25:19.892Z",
    "modified": "2026-01-07T21:18:06.699Z",
    "type": "cve",
    "title": "zlib <= 1.3.1.2 untgz Global Buffer Overflow in TGZfname()",
    "source": "VulnCheck",
    "references": "https://seclists.org/fulldisclosure/2026/Jan/3\nhttps://zlib.net/\nhttps://github.com/madler/zlib\nhttps://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname",
    "id": "CVE-2026-22184",
    "bulletinFamily": "",
    "cwe": [
        "CWE-120"
    ],
    "cvelist": null,
    "sourceData": "zlib software zlib 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zlib",
    "version": "0",
    "vendor": "zlib software",
    "ai_description": "Global buffer overflow in the untgz utility of zlib, allowing for potential code execution and denial of service",
    "ai_severity": "Critical",
    "ai_vendor": "Jean-loup Gailly and Mark Adler",
    "ai_product": "zlib",
    "ai_version": "1.3.1.2 and earlier",
    "ai_score": 9.3
}

zlib <= 1.3.1.2 untgz Global Buffer Overflow in TGZfname()_CVE-2026-22184